Only run a single post-auth when using inner-tunnel

Phil Mayers p.mayers at
Mon Mar 7 12:08:28 CET 2011

On 07/03/11 10:10, paul smith wrote:

> Is there some way I can tell the server not to run things in the
> default post-auth, if the request has been through the inner-tunnel?
> I'm thinking putting something like the following in the default
> post-auth section
> 	if (!proxy-reply:Packet-Type == "Access-Accept") {
> 		radius-user-auth
> 	}

How about:

post-auth {
   if (!EAP-Message) {
     ...the exec module

> However this always evaluates as true, even though I can see the
> inner-tunnel authenticating successfully.

Inner tunnel is not proxying, so proxy-reply is always empty, hence 
evaluates to "true". Don't confusing proxying with EAP phases.

More information about the Freeradius-Users mailing list